![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0092: Does ISO 9001 Certification imply that ACM_CAP.2 has been met?
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2003-05-23 |
| Last Modified | 2006-08-02 |
Issue
Does ISO 9001 Certification imply that ACM_CAP.2 has been met?
Resolution
The relevant ACM_CAP.2 requirements under consideration here are:
ACM_CAP.2.2D The developer shall use a CM System.
ACM_CAP.2.3C The CM Documentation shall include a configuration list.
ACM_CAP.2.4C The configuration list shall describe the configuration items that comprise the TOE.
ACM_CAP.2.5C The CM documentation shall describe the method used to uniquely identify the configuration items.
ACM_CAP.2.6C The CM system shall uniquely identify all configuration items.
There are specifically two sub questions that need to be asked in the context of the relevant requirements:
-
Can an ISO 9001 Certificate (representing a potential third party analysis of the developers development process) qualify as evidence that a CM system is "in use" by the developer (see CC v2.1, ACM_CAP.2.2D and CEM v1.0 para 648)?
-
Can an ISO 9001 Certified Quality Manual meet ACM_CAP.2.3C-6C?
Specifically concerning question 1, the ACM_CAP.2 methodology (CEM v1.0, para 648) is very clear that the evidence to be examined by an evaluation team in confirming "the CM system is being used" is minimal and scoped by the evaluator work units ACM_CAP.2-1 through ACM_CAP.2-6. All of these work units deal directly with examining and checking TOE references/configuration items in delivered documentation (e.g., the ISO 9001 Quality Manual). There is no requirement for developers to offer any other evidence that they are actually "using" the configuration management system that is required in ACM_CAP.2.1D. Therefore the presentation of an ISO 9001 Certificate as evidence to show compliance to ACM_CAP.2.2D is sufficient (but not necessary).
Specifically, concerning question 2, ISO 9001 requirements do not require the type of information on Configuration Items that are explicitly called for in ACM_CAP.2.3C-6C. Therefore presenting an ISO 9001 Certificate as evidence for meeting these requirements is not sufficient. The developer must present documentation that explicitly addresses these requirements. (Such information may be found in an ISO 9001 Quality Manual, but this may not always be the case.) The evaluators are required to examine this evidence using the Common Evaluation Methodology, work units ACM_CAP.2-1 through ACM_CAP.2-7.
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- CC v2.1
Related NIs:
- None
Related CCIMB-INTERPs:
- None
Source OD: 0183